[nsp] Netflow questions - flow expiry

Steve Francis steve at expertcity.com
Tue Aug 19 10:40:55 EDT 2003 

Thanks, that was a very helpful answer.

So the documentation is just totally incorrect when if says that the MLS 
entry will be flushed when "The transport protocol indicates that the 
connection is completed", or is that just omitting that it only applies 
to flows entries to the router itself?

TIA
Ian Cox wrote:

> At 12:07 PM 8/14/2003 -0700, Steve Francis wrote:
>
>> So I just noticed that I am vastly exceeding the 32K suggested number 
>> of MLS entries on a Cat6K with Sup2/PFC2/MSFC2.
>> This gives rise to a few questions:
>> Per the docs:
>>
>> Flow entries in the MLS cache expire and are flushed from the MLS 
>> cache when one of the following conditions occurs:
>> - The transport protocol indicates that the connection is completed.
>> - Traffic inactivity exceeds 15 seconds.
>>
>> Given I have mls flow ip destination-source, this means that the 
>> router is not looking at the transport protocol, so it seems the 
>> first statement does not apply. Can anyone confirm that with a flow 
>> mask of FULL, the mls netflow entry is purged once the TCP FIN flags 
>> go by?
>> Otherwise I guess I get to play with the aging timers...
>
>
> The hardware netflow table does not use the tcp flags as a basis to 
> age flows. Inactivity time and/or number of packets in a particular 
> interval (fast aging) are used. Turn on fast aging on the system is 
> the best option. If you have not already done change the normal aging 
> down to 32 seconds, that is the minimum value.
>
>
>> Also, what is the effect of exceeding the 32K limit? "If the number 
>> of MLS entries exceeds 32K, only adjacency statistics might be 
>> available for some flows." What does that mean?
>
>
> The netflow table is comprised of 8 pages of 16k entries each. A hash 
> function is used to place entries into the table and the flow mask 
> determines what bits in the IP header / and/or TCP/UDP header are used 
> as input into the hash function. The table is 128k entries in total, 
> with a 99.99% probability with normal traffic 32k entries will fit 
> into the table for Sup1A, Sup2. (Sup720 uses a different algorithm 
> that is much more effective and can achieve 90k).
>
> Exceeding 32k entries on Sup1A, Sup2 just means there is a higher 
> probability a flow will not fit into the hardware table. You can check 
> the number of packets that statistics are not being recorded for in 
> images higher than 12.1(13)E8 or 12.1(19)E1 via:
>   remote command switch show earl statis | inc NF_FULL
>
>
> Ian
>
>> Thanks
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list